TechSpot

Virus returning after fresh install of XP

By c8ddymon
Oct 26, 2007
Topic Status:
Not open for further replies.
  1. Hi everyone, I am new to techspot, but I have been having a huge virus problem lately so I did some research and found you guys. The problem I am having right now is with the infostealer.gampass virus. Last week, some how my dad got the virus on his computer, and Norton anti-virus said it could not delete the file. I then proceeded to format the computer, after formatting, I installed SP1, SP2, and used autopatcher for all of my other updates. When I was finished, I installed Norton again and after it installed, while I was receiving new updates, it started scanning and it found the infostealer.gampass virus as well as win32.popwin virus. There is a secondary hard drive connected to the computer so I thought maybe the virus made its way to the second hardrive and came out again when I installed the new copy of windows. I disconnected the harddrive and formatted the computer again. I installed norton, ran a scan and everything was fine. I then installed SP1, SP2 and autopatcher. Upon completion, I ran live update for norton, and again it came up with the viruses. I really do not know what it is. I do not know if the copy of autopatcher I have has been tampered with, or if it's the Norton. I read online somewhere that there are viruses that can co-exist in other areas of the computer, such as the CMOS battery or the Master Boot records. Is this true? If so, how can I resolve my problem? This has been a terrible headache thus far and it is still continuing. Some processes that were running, that I did not think belonged were:
    MsIMMs32.exe
    pohqlw.exe
    kvsc3.exe
    pykftz.exe
    mppds.exe

    Also, I ran norton in safe-mode and came up with these viruses..there are 23, and Norton says it has removed them this time, but I do not want to do anything else before I consult with you guys:
    00011937.exe
    00011946.exe
    00011974.exe
    00011987.exe
    00011992.exe
    00011999.exe
    00012346.exe
    00012353.exe
    00012383.dll
    00012386.exe
    00012389.exe
    00012577.exe
    00012583.exe
    400DD9D4.ddl
    auto.exe
    K11934313494.exe
    K11934340674.exe
    LYLOADER.exe
    LYMANGR.DLL
    mh6018[1].exe
    tl0619[1].exe
    tl0619[2].exe
    I am using Windows XP 2002.
    Please help in any way that you can! This virus is driving me crazy. Thank you all in advance for taking your time in reading this.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    Hello and welcome to Techspot.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as Attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :wave: :wave:

    This thread is for the use of c8ddymon only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. siiix

    siiix TS Rookie Posts: 29

    Solution

    solution #1:

    use XP servicepack2 (instead of patching) or media center (or better) after formating hard drive

    solution #2 (not the best sulution)

    after formating hard drive install old XP WITHOUT being on the intrenet, before you even think about going online install from file or disk service pack2 OR virus protection and firewall

    do not even plug in the nic cable !

    note: you go online for a milisecond with old xp with out protection you have your virus back

    solution #3:
    i dont think there is one
    -------------------

    why:
    XP and XP SP1 have a vournability that and a few other viruses use to replicate them self, if someones computer is infected the virus willl scan random IP's and when find a coresponding XP it will integrate it self imediately, usualy this takes anything from 1 second to 30 minutes from the time you go online... consider how many millions of PC's are infected and they all scan who knows how many IP's / second

    my advice trow out that old XP or SP1 its not worth the trouble, if you will be using SP2 or later there is not even much of a need for firewall or virus protection.. the security seems to improved quite a bit
     
  4. c8ddymon

    c8ddymon TS Rookie Topic Starter Posts: 17

    Hey everyone! I just want to apologize first that I have not followed up with this post for a long while because I have been extremely busy with school. I have completed all the steps required of me to begin the process of fixing this mess.

    siiix, thanks for your comment. Do you know where I can get SP2? as a download file so that I can install right away? I don't have SP2 in my version of XP so that is one of the main reasons why I chose to use the patcher: AutoPatcher_WinXP_May07_x86_ENU_Core(2).

    Ok so when I started the computer again, Norton again found the viruses and stated that they removed everything. Then I proceeded with following the cleaning steps and after the step with searching with SmitFraudFix, I restarted the computer and Norton again picked up a downloader and the troubling infostealer.gamepass virus again. These were the files it detected and removed.
    CB05E4E6.dll
    downloader
    ckmihb.dll
    infostealer.gamepass

    When i ran combofix, it found a few .exe files so hopefully that helps solve it. When I ran the Panda rootkit, it came up with 0 infections.
    I have attatched the logfiles of combofix,avg anti-spyware, and hijackthis. Please let me know whether or not my computer is finally safe for use! Thanks in advance to anyone who will be helping me with this!

    Symptoms:
    1) virus comes back after installing auto patcher and norton anti-virus, even after formatting my hard drive
    2) after the virus makes itself known to Norton, a trouble with opening my hard drive occurs. When I click my computer > C:, it doesn't open up my c drive, instead it asks me what I want to use to open it. This problem has now been fixed since completing all the steps =)

    Is there any way to tell how the virus came to be? This is my parents computer, and they said that they have not done anything. Adobe Reader was just updated before the virus came here, but I do not think its from that. I do not know if this is a possibility or not, but I was afraid that the virus was somehow in my parents internet line so that any computer connected to their cat5 cable will be infected. Is this at all possible? I have set up a backup computer for them and so far nothing is wrong, so I just want to make sure. But I will be sure to run AVG on all my systems!

    Thanks

    (Moderator edit: Posts merged. Please use the edit button, rather than replying to your previous post where there are no other replies in between. If bumping the thread, please wait at least 24 hours for a reply.)

    One little correction. This is how much school has made me forget everything =(. I do have a copy of XP SP2, I think I trtied to ask if there is any way that I can get the other update files for XP SP2. Thanks!
     
  5. momok

    momok TS Rookie Posts: 2,272

    Hi,

    You may wish to copy and paste these instructions on notepad for easier reference later.

    1. Go to start > type "services.msc" and press enter. Search for the following services and right click to disable them. Then Right click > Properties to set the startup type to "disabled".

      142DAD8C
      6014C6BE


    2. Run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

      O23 - Service: 142DAD8C - Unknown owner - C:\WINDOWS\system32\8BF4F306.EXE (file missing)
      O23 - Service: 6014C6BE - Unknown owner - C:\WINDOWS\system32\39B4DBA.EXE (file missing)

    3. Whilst still in HijackThis, go to "Main Menu" and click on "Open the Misc Tools section". Click on the "Misc Tools" button and then "Delete an NT service..." Type the following into the prompt box and press OK after each entry.
      142DAD8C
      6014C6BE
      Close HJT.
    Thereafter, please post a fresh HJT log from normal mode as an attachment into this thread.


    Regards,
    momok =)

    This thread is for the use of c8ddymon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. c8ddymon

    c8ddymon TS Rookie Topic Starter Posts: 17

    Thanks momok! I am busy right now, but I will do this as soon as possible and post up a fresh log from HJT! Out of curiosity what do those changes mean/do? and will a clean report from HJT represent a completely clean system? I am just really worried because the virus was an information stealing trojan. And is it possible for my parents internet line to be stuck with the virus? or did it just come back because it found a way to store themselves in some part of the hard drive that does not become affected by formatting? In other words, how did it keep coming back? Thank you so much for the help thus far! Thanks everyone!

    c8ddymon
     
  7. momok

    momok TS Rookie Posts: 2,272

    Hi,

    The changes simply remove bad entries leftover from the infection. The other logs (ComboFix and AVG) show a relatively cleaned system, which you should be grateful for. Often times the preliminary removal instructions don't almost clean out the infection totally.

    The infection in question (from your AVG log) shows it resided in your system restore values. But that has been fixed. I'm not sure where else it resided as I do not know or am able to view the file paths that your Norton/Antivirus cleaning fixed. Also, although Norton claims to be able to remove it, I highly doubt its capability in cleaning the infection. The fact that it returns simply means the cleaning was not thorough, which allowed the virus to regenerate files on your system. (Norton is also widely known otherwise as "crap" here)

    Although your parents have claimed they have done nothing, it is still very likely that it is through their actions online that brought about the infection.

    I also notice no firewall on that system. I strongly urge you to get one ASAP.
     
  8. momok

    momok TS Rookie Posts: 2,272

    Thread closed due to lack of response. Should the original starter require it to be reopened, please PM a mod.
    (Edit: thread reopened on request)
     
  9. c8ddymon

    c8ddymon TS Rookie Topic Starter Posts: 17

    Hey momok,
    hopefully this will get through, so I am going to post the new hijack this log. Also, in regards to having no firewall, isn't Norton Internet Worm Protection considered as a firewall? It told me to turn off the windows firewall because it will conflict with it.

    thanks again for the help!

    C8ddymon

    P.S. if virus is stored in system restore, it will still come back after a fresh install?
     
  10. momok

    momok TS Rookie Posts: 2,272

    Hi,

    Your HijackThis log is clean. With regards to Norton, I have my own reservations, but you are free to decide on its use. Do note however, that there are plenty of excellent firewall choices that suit various user needs which are free on the web, such as Comodo, Kerio and ZoneAlarm.

    If there are nasties lurking in system restore, any time you restore to that infected point it is likely you will get infected again. Thus, you should do the following.


    1. Please download and run CCleaner via step 9 of the instructions HERE.

    2. Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

    3. Turn off system restore (XP/ME only). Learn how to do that HERE.
      This will remove all the remaining nasties from your old restore points.

    4. After that turn system restore back on.
      This would have created a new safe and clean restore point for your system.

    5. Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
      May I recommend you to read this article.
      This can help to prevent future infections.

    Should you have any further problems, please post in this thread.


    Regards,
    momok =)

    This thread is for the use of c8ddymon only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. c8ddymon

    c8ddymon TS Rookie Topic Starter Posts: 17

    Thanks momok!

    Thanks for all the help you have provided me with for this situation. I truly truly appreciate it! I will definitely stick with the zonealarm firewall. Do you think or know by any chance whether or not the auto-patcher contains a virus? Like did it show up anywhere that another virus came to be after I installed the autopatcher? Well thanks again for everything momok!

    C8ddymon
     
     
  12. CCT

    CCT TS Evangelist Posts: 3,556

    Next time your Dad goes and gets a penecillin resistant virus, ZERO FILL the drive, don't just format.


    :)
     
  13. momok

    momok TS Rookie Posts: 2,272

    I'm not sure about the auto-patcher. But chances are if you downloaded it from a legitimate site, it should be safe.
     
  14. c8ddymon

    c8ddymon TS Rookie Topic Starter Posts: 17

    Hey everyone!
    Thanks, I will remember to zero fill, I was thinking about it this time, but didn't get around to it. I have maxtor's cd that zero fills, but it doesn't always work. Any other programs that can zero fill?

    c8ddymon
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.